GHSA-pgxq-p76c-x9cg

Source

https://github.com/advisories/GHSA-pgxq-p76c-x9cg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pgxq-p76c-x9cg/GHSA-pgxq-p76c-x9cg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-pgxq-p76c-x9cg

Aliases

CVE-2026-47266

Published

2026-05-29T22:19:19Z

Modified

2026-05-29T22:31:19.923259518Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

formie's unauthenticated front-end submission editing can overwrite existing submissions

Details

Impact

Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission.

Patches

2.2.21, 3.1.26

Workarounds

Block unauthenticated access to actions/formie/submissions/save-submission, or disable/customize front-end submission editing until patched.

Credit

formie extends many thanks to: - Florian (Cyber Security Engineer, arcade solutions ag) - Contact: security@arcade.ch

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-05-29T20:16:28Z",
    "github_reviewed_at": "2026-05-29T22:19:19Z",
    "cwe_ids": [
        "CWE-639"
    ],
    "severity": "HIGH"
}

References

Affected packages

Packagist / verbb/formie

Package

Name: verbb/formie
Purl: pkg:composer/verbb%2Fformie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.1.26

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.0.21

3.0.22

3.0.23

3.0.24

3.0.25

3.0.26

3.0.27

3.0.28

3.0.29

3.0.30

3.0.31

3.0.32

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

3.1.24

3.1.25

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pgxq-p76c-x9cg/GHSA-pgxq-p76c-x9cg.json"

Packagist / verbb/formie

Package

Name: verbb/formie
Purl: pkg:composer/verbb%2Fformie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.21

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.9.1

1.1.0

1.1.1

1.1.1.1

1.1.2

1.1.3

1.1.4

1.1.4.1

1.1.5

1.1.6

1.1.7

1.1.8

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.7.1

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

1.2.22

1.2.23

1.2.23.1

1.2.24

1.2.25

1.2.26

1.2.27

1.2.28

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.3.16.1

1.3.17

1.3.18

1.3.19

1.3.19.1

1.3.20

1.3.21

1.3.22

1.3.23

1.3.24

1.3.25

1.3.26

1.3.27

1.4.0

1.4.0.1

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.20

1.4.21

1.4.21.1

1.4.22

1.4.23

1.4.24

1.4.25

1.4.26

1.4.27

1.4.28

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.5.13

1.5.13.1

1.5.13.2

1.5.14

1.5.15

1.5.16

1.5.17

1.5.18

1.5.19

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.19

1.6.20

1.6.21

1.6.22

1.6.23

1.6.24

1.6.25

1.6.26

1.6.27

1.6.28

1.6.29

1.6.30

1.6.31

1.6.32

1.6.33

1.6.34

1.6.35

1.6.36

1.6.36.1

1.6.37

1.6.38

1.6.39

1.6.40

1.6.41

1.6.42

1.6.43

1.6.44

1.6.45

1.6.46

1.6.47

2.*

2.0.0-beta.1

2.0.0-beta.2

2.0.0-beta.3

2.0.0-beta.4

2.0.0-beta.5

2.0.0-beta.6

2.0.0-beta.7

2.0.0-beta.8

2.0.0-beta.9

2.0.0-beta.10

2.0.0-beta.11

2.0.0-beta.12

2.0.0-beta.13

2.0.0-beta.14

2.0.0-beta.15

2.0.0-beta.16

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.23.1

2.0.24

2.0.25

2.0.25.1

2.0.26

2.0.27

2.0.27.1

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.34.1

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.40

2.0.41

2.0.42

2.0.43

2.0.44

2.0.44.1

2.0.45

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.20

2.1.21

2.1.22

2.1.23

2.1.24

2.1.25

2.1.26

2.1.27

2.1.28

2.1.29

2.1.30

2.1.31

2.1.32

2.1.33

2.1.34

2.1.35

2.1.36

2.1.37

2.1.38

2.1.39

2.1.40

2.1.41

2.1.42

2.1.43

2.1.44

2.1.45

2.1.46

2.1.47

2.1.48

2.1.49

2.1.50

2.1.51

2.1.52

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.20

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pgxq-p76c-x9cg/GHSA-pgxq-p76c-x9cg.json"